EUVD-2025-21376

| CVE-2025-6432 HIGH
2025-06-24 [email protected]
8.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-21376
CVE Published
Jun 24, 2025 - 13:15 nvd
HIGH 8.6

Tags

Information Disclosure Mozilla Dns Firefox Thunderbird Redhat Suse

Description

When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability affects Firefox < 140 and Thunderbird < 140.

Analysis

CVE-2025-6432 is a DNS proxy bypass vulnerability in Firefox and Thunderbird when Mozilla's Multi-Account Containers extension is enabled. Under specific conditions-invalid domain names or unresponsive SOCKS proxies-DNS requests circumvent the configured SOCKS proxy, potentially exposing user browsing activity to network monitoring. This affects Firefox < 140 and Thunderbird < 140, has a high CVSS score of 8.6 reflecting significant confidentiality impact, and requires network-level access but no user interaction to exploit.

Technical Context

The vulnerability resides in the Multi-Account Containers extension's DNS handling when integrated with SOCKS proxy configurations (CWE-200: Information Exposure). When a user configures Firefox/Thunderbird to route traffic through a SOCKS proxy for privacy, the extension should tunnel all DNS queries through that proxy to prevent DNS leaks. However, the implementation contains a logic flaw: if a domain name is malformed/invalid OR the SOCKS proxy is temporarily unreachable, the browser falls back to direct DNS resolution instead of properly queuing or rejecting the request. This creates an information disclosure channel where DNS queries—which reveal visited domains—bypass the proxy's privacy protections. The affected products are Mozilla Firefox (CPE: cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*) versions below 140 and Thunderbird (CPE: cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*) versions below 140, specifically in configurations with Multi-Account Containers active and SOCKS proxying enabled.

Affected Products

Mozilla Firefox (< 140); Mozilla Thunderbird (< 140)

Remediation

- step: Immediate patching; action: Upgrade Firefox to version 140 or later and Thunderbird to version 140 or later. Updates are available through Mozilla's official channels: https://www.mozilla.org/en-US/firefox/new/ and https://www.thunderbird.net/download/ - step: Temporary mitigation (pending patch); action: Disable Multi-Account Containers extension in Settings > Extensions & Themes until upgrade is available. Note: This removes container isolation but eliminates the DNS bypass vulnerability. - step: Verify proxy configuration; action: Test SOCKS proxy connectivity after patching. Use browser-based DNS leak tests (e.g., dnsleaktest.com) with containers enabled to confirm DNS queries route through proxy. Monitor proxy logs for connection drops that would have triggered the vulnerability. - step: Network-level monitoring; action: Implement DNS monitoring/filtering at network perimeter to catch leaked queries. For corporate environments, enforce SOCKS proxy failover to block mode rather than bypass mode.

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +43
POC: 0

Vendor Status

Ubuntu

Priority: Medium
firefox
Release Status Version
jammy not-affected code not present
noble not-affected code not present
oracular not-affected code not present
plucky not-affected code not present
upstream needs-triage -
questing not-affected code not present
thunderbird
Release Status Version
noble not-affected code not present
oracular not-affected code not present
plucky not-affected code not present
upstream released 140
jammy released 1:140.7.1+build1-0ubuntu0.22.04.1
questing not-affected code not present
mozjs38
Release Status Version
bionic needs-triage -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs52
Release Status Version
bionic ignored -
focal ignored -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs68
Release Status Version
focal ignored -
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs78
Release Status Version
jammy ignored -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs91
Release Status Version
jammy ignored -
noble DNE -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs102
Release Status Version
jammy ignored -
noble ignored -
oracular DNE -
plucky DNE -
upstream needs-triage -
questing DNE -
mozjs115
Release Status Version
jammy DNE -
noble ignored -
oracular ignored -
plucky ignored -
upstream needs-triage -
questing DNE -
USN-7991-1

Debian

firefox
Release Status Fixed Version Urgency
sid fixed 148.0.2-1 -
(unstable) fixed 140.0-1 -

Share

EUVD-2025-21376 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy